diff options
Diffstat (limited to 'keystore/java')
13 files changed, 101 insertions, 87 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 6a08368..98b44dc 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -40,6 +40,7 @@ import android.security.keystore.KeyPermanentlyInvalidatedException; import android.security.keystore.UserNotAuthenticatedException; import android.util.Log; +import java.math.BigInteger; import java.security.InvalidKeyException; import java.util.List; import java.util.Locale; @@ -663,14 +664,14 @@ public class KeyStore { "Failed to obtained key characteristics", getKeyStoreException(getKeyCharacteristicsErrorCode)); } - List<Long> keySids = - keyCharacteristics.getLongs(KeymasterDefs.KM_TAG_USER_SECURE_ID); + List<BigInteger> keySids = + keyCharacteristics.getUnsignedLongs(KeymasterDefs.KM_TAG_USER_SECURE_ID); if (keySids.isEmpty()) { // Key is not bound to any SIDs -- no amount of authentication will help here. return new KeyPermanentlyInvalidatedException(); } long rootSid = GateKeeper.getSecureUserId(); - if ((rootSid != 0) && (keySids.contains(Long.valueOf(rootSid)))) { + if ((rootSid != 0) && (keySids.contains(KeymasterArguments.toUint64(rootSid)))) { // One of the key's SIDs is the current root SID -- user can be authenticated // against that SID. return new UserNotAuthenticatedException(); @@ -678,7 +679,7 @@ public class KeyStore { long fingerprintOnlySid = getFingerprintOnlySid(); if ((fingerprintOnlySid != 0) - && (keySids.contains(Long.valueOf(fingerprintOnlySid)))) { + && (keySids.contains(KeymasterArguments.toUint64(fingerprintOnlySid)))) { // One of the key's SIDs is the current fingerprint SID -- user can be // authenticated against that SID. return new UserNotAuthenticatedException(); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreAuthenticatedAESCipherSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreAuthenticatedAESCipherSpi.java index f412743..83dad0e 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreAuthenticatedAESCipherSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreAuthenticatedAESCipherSpi.java @@ -207,7 +207,7 @@ abstract class AndroidKeyStoreAuthenticatedAESCipherSpi extends AndroidKeyStoreC protected final void addAlgorithmSpecificParametersToBegin( @NonNull KeymasterArguments keymasterArgs) { super.addAlgorithmSpecificParametersToBegin(keymasterArgs); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, mTagLengthBits); + keymasterArgs.addUnsignedInt(KeymasterDefs.KM_TAG_MAC_LENGTH, mTagLengthBits); } protected final int getTagLengthBits() { @@ -288,11 +288,11 @@ abstract class AndroidKeyStoreAuthenticatedAESCipherSpi extends AndroidKeyStoreC + " practices."); } - keymasterArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockMode); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockMode); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); if (mIv != null) { - keymasterArgs.addBlob(KeymasterDefs.KM_TAG_NONCE, mIv); + keymasterArgs.addBytes(KeymasterDefs.KM_TAG_NONCE, mIv); } } @@ -302,7 +302,7 @@ abstract class AndroidKeyStoreAuthenticatedAESCipherSpi extends AndroidKeyStoreC mIvHasBeenUsed = true; // NOTE: Keymaster doesn't always return an IV, even if it's used. - byte[] returnedIv = keymasterArgs.getBlob(KeymasterDefs.KM_TAG_NONCE, null); + byte[] returnedIv = keymasterArgs.getBytes(KeymasterDefs.KM_TAG_NONCE, null); if ((returnedIv != null) && (returnedIv.length == 0)) { returnedIv = null; } @@ -406,7 +406,7 @@ abstract class AndroidKeyStoreAuthenticatedAESCipherSpi extends AndroidKeyStoreC @Override public OperationResult update(byte[] input) { KeymasterArguments keymasterArgs = new KeymasterArguments(); - keymasterArgs.addBlob(KeymasterDefs.KM_TAG_ASSOCIATED_DATA, input); + keymasterArgs.addBytes(KeymasterDefs.KM_TAG_ASSOCIATED_DATA, input); // KeyStore does not reflect AAD in inputConsumed, but users of Stream rely on this // field. We fix this discrepancy here. KeyStore.update contract is that all of AAD diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreECDSASignatureSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreECDSASignatureSpi.java index d19a766..f80feef 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreECDSASignatureSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreECDSASignatureSpi.java @@ -89,11 +89,13 @@ abstract class AndroidKeyStoreECDSASignatureSpi extends AndroidKeyStoreSignature if (errorCode != KeyStore.NO_ERROR) { throw getKeyStore().getInvalidKeyException(key.getAlias(), errorCode); } - int keySizeBits = keyCharacteristics.getInt(KeymasterDefs.KM_TAG_KEY_SIZE, -1); + long keySizeBits = keyCharacteristics.getUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, -1); if (keySizeBits == -1) { throw new InvalidKeyException("Size of key not known"); + } else if (keySizeBits > Integer.MAX_VALUE) { + throw new InvalidKeyException("Key too large: " + keySizeBits + " bits"); } - mGroupSizeBytes = (keySizeBits + 7) / 8; + mGroupSizeBytes = (int) ((keySizeBits + 7) / 8); super.initKey(key); } @@ -112,8 +114,8 @@ abstract class AndroidKeyStoreECDSASignatureSpi extends AndroidKeyStoreSignature @Override protected void addAlgorithmSpecificParametersToBegin( @NonNull KeymasterArguments keymasterArgs) { - keymasterArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_EC); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_EC); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); } @Override diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java index f7c184c..cc858d3 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java @@ -159,9 +159,9 @@ public abstract class AndroidKeyStoreHmacSpi extends MacSpi implements KeyStoreC } KeymasterArguments keymasterArgs = new KeymasterArguments(); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_HMAC); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, mMacSizeBits); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_HMAC); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); + keymasterArgs.addUnsignedInt(KeymasterDefs.KM_TAG_MAC_LENGTH, mMacSizeBits); OperationResult opResult = mKeyStore.begin( mKey.getAlias(), diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java index 66509e2..258133d 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java @@ -268,12 +268,12 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { } KeymasterArguments args = new KeymasterArguments(); - args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); - args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); - args.addInts(KeymasterDefs.KM_TAG_PURPOSE, mKeymasterPurposes); - args.addInts(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); - args.addInts(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings); - args.addInts(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); + args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); + args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); + args.addEnums(KeymasterDefs.KM_TAG_PURPOSE, mKeymasterPurposes); + args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); + args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings); + args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); KeymasterUtils.addUserAuthArgs(args, spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds()); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index ff265cf..3058bd3 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -160,7 +160,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato private int[] mKeymasterSignaturePaddings; private int[] mKeymasterDigests; - private long mRSAPublicExponent; + private BigInteger mRSAPublicExponent; protected AndroidKeyStoreKeyPairGeneratorSpi(int keymasterAlgorithm) { mOriginalKeymasterAlgorithm = keymasterAlgorithm; @@ -320,7 +320,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mKeymasterDigests = null; mKeySizeBits = 0; mSpec = null; - mRSAPublicExponent = -1; + mRSAPublicExponent = null; mEncryptionAtRestRequired = false; mRng = null; mKeyStore = null; @@ -353,12 +353,12 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato throw new InvalidAlgorithmParameterException( "RSA public exponent must be positive: " + publicExponent); } - if (publicExponent.compareTo(BigInteger.valueOf(Long.MAX_VALUE)) > 0) { + if (publicExponent.compareTo(KeymasterArguments.UINT64_MAX_VALUE) > 0) { throw new InvalidAlgorithmParameterException( "Unsupported RSA public exponent: " + publicExponent - + ". Only exponents <= " + Long.MAX_VALUE + " supported"); + + ". Maximum supported value: " + KeymasterArguments.UINT64_MAX_VALUE); } - mRSAPublicExponent = publicExponent.longValue(); + mRSAPublicExponent = publicExponent; break; } case KeymasterDefs.KM_ALGORITHM_EC: @@ -404,13 +404,13 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } KeymasterArguments args = new KeymasterArguments(); - args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); - args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); - args.addInts(KeymasterDefs.KM_TAG_PURPOSE, mKeymasterPurposes); - args.addInts(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); - args.addInts(KeymasterDefs.KM_TAG_PADDING, mKeymasterEncryptionPaddings); - args.addInts(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings); - args.addInts(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); + args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); + args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); + args.addEnums(KeymasterDefs.KM_TAG_PURPOSE, mKeymasterPurposes); + args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); + args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterEncryptionPaddings); + args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings); + args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); KeymasterUtils.addUserAuthArgs(args, mSpec.isUserAuthenticationRequired(), @@ -493,7 +493,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato private void addAlgorithmSpecificParameters(KeymasterArguments keymasterArgs) { switch (mKeymasterAlgorithm) { case KeymasterDefs.KM_ALGORITHM_RSA: - keymasterArgs.addLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, mRSAPublicExponent); + keymasterArgs.addUnsignedLong( + KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, mRSAPublicExponent); break; case KeymasterDefs.KM_ALGORITHM_EC: break; diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java index 967319a..ba39ba7 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java @@ -226,8 +226,8 @@ public class AndroidKeyStoreProvider extends Provider { } final byte[] x509EncodedPublicKey = exportResult.exportData; - int keymasterAlgorithm = keyCharacteristics.getInt(KeymasterDefs.KM_TAG_ALGORITHM, -1); - if (keymasterAlgorithm == -1) { + Integer keymasterAlgorithm = keyCharacteristics.getEnum(KeymasterDefs.KM_TAG_ALGORITHM); + if (keymasterAlgorithm == null) { throw new UnrecoverableKeyException("Key algorithm unknown"); } @@ -277,13 +277,12 @@ public class AndroidKeyStoreProvider extends Provider { .initCause(KeyStore.getKeyStoreException(errorCode)); } - int keymasterAlgorithm = keyCharacteristics.getInt(KeymasterDefs.KM_TAG_ALGORITHM, -1); - if (keymasterAlgorithm == -1) { + Integer keymasterAlgorithm = keyCharacteristics.getEnum(KeymasterDefs.KM_TAG_ALGORITHM); + if (keymasterAlgorithm == null) { throw new UnrecoverableKeyException("Key algorithm unknown"); } - List<Integer> keymasterDigests = - keyCharacteristics.getInts(KeymasterDefs.KM_TAG_DIGEST); + List<Integer> keymasterDigests = keyCharacteristics.getEnums(KeymasterDefs.KM_TAG_DIGEST); int keymasterDigest; if (keymasterDigests.isEmpty()) { keymasterDigest = -1; diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreRSACipherSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreRSACipherSpi.java index 38e216d..1d4ca40 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreRSACipherSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreRSACipherSpi.java @@ -374,7 +374,7 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase protected final void addAlgorithmSpecificParametersToBegin( KeymasterArguments keymasterArgs) { super.addAlgorithmSpecificParametersToBegin(keymasterArgs); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); } @Override @@ -500,11 +500,13 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase if (errorCode != KeyStore.NO_ERROR) { throw getKeyStore().getInvalidKeyException(keystoreKey.getAlias(), errorCode); } - int keySizeBits = keyCharacteristics.getInt(KeymasterDefs.KM_TAG_KEY_SIZE, -1); + long keySizeBits = keyCharacteristics.getUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, -1); if (keySizeBits == -1) { throw new InvalidKeyException("Size of key not known"); + } else if (keySizeBits > Integer.MAX_VALUE) { + throw new InvalidKeyException("Key too large: " + keySizeBits + " bits"); } - mModulusSizeBytes = (keySizeBits + 7) / 8; + mModulusSizeBytes = (int) ((keySizeBits + 7) / 8); setKey(keystoreKey); } @@ -527,14 +529,14 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase @Override protected void addAlgorithmSpecificParametersToBegin( @NonNull KeymasterArguments keymasterArgs) { - keymasterArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); int purposeOverride = getKeymasterPurposeOverride(); if ((purposeOverride != -1) && ((purposeOverride == KeymasterDefs.KM_PURPOSE_SIGN) || (purposeOverride == KeymasterDefs.KM_PURPOSE_VERIFY))) { // Keymaster sign/verify requires digest to be specified. For raw sign/verify it's NONE. - keymasterArgs.addInt(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_NONE); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_NONE); } } diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreRSASignatureSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreRSASignatureSpi.java index 954b71a..ecfc97e 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreRSASignatureSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreRSASignatureSpi.java @@ -157,8 +157,8 @@ abstract class AndroidKeyStoreRSASignatureSpi extends AndroidKeyStoreSignatureSp @Override protected final void addAlgorithmSpecificParametersToBegin( @NonNull KeymasterArguments keymasterArgs) { - keymasterArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); } } diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java index 7887923..9a2f908 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java @@ -93,26 +93,29 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { if (keyCharacteristics.hwEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) { insideSecureHardware = true; origin = KeyProperties.Origin.fromKeymaster( - keyCharacteristics.hwEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1)); + keyCharacteristics.hwEnforced.getEnum(KeymasterDefs.KM_TAG_ORIGIN, -1)); } else if (keyCharacteristics.swEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) { insideSecureHardware = false; origin = KeyProperties.Origin.fromKeymaster( - keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1)); + keyCharacteristics.swEnforced.getEnum(KeymasterDefs.KM_TAG_ORIGIN, -1)); } else { throw new ProviderException("Key origin not available"); } - Integer keySizeInteger = keyCharacteristics.getInteger(KeymasterDefs.KM_TAG_KEY_SIZE); - if (keySizeInteger == null) { + long keySizeUnsigned = + keyCharacteristics.getUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, -1); + if (keySizeUnsigned == -1) { throw new ProviderException("Key size not available"); + } else if (keySizeUnsigned > Integer.MAX_VALUE) { + throw new ProviderException("Key too large: " + keySizeUnsigned + " bits"); } - keySize = keySizeInteger; + keySize = (int) keySizeUnsigned; purposes = KeyProperties.Purpose.allFromKeymaster( - keyCharacteristics.getInts(KeymasterDefs.KM_TAG_PURPOSE)); + keyCharacteristics.getEnums(KeymasterDefs.KM_TAG_PURPOSE)); List<String> encryptionPaddingsList = new ArrayList<String>(); List<String> signaturePaddingsList = new ArrayList<String>(); // Keymaster stores both types of paddings in the same array -- we split it into two. - for (int keymasterPadding : keyCharacteristics.getInts(KeymasterDefs.KM_TAG_PADDING)) { + for (int keymasterPadding : keyCharacteristics.getEnums(KeymasterDefs.KM_TAG_PADDING)) { try { @KeyProperties.EncryptionPaddingEnum String jcaPadding = KeyProperties.EncryptionPadding.fromKeymaster(keymasterPadding); @@ -135,13 +138,13 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { signaturePaddingsList.toArray(new String[signaturePaddingsList.size()]); digests = KeyProperties.Digest.allFromKeymaster( - keyCharacteristics.getInts(KeymasterDefs.KM_TAG_DIGEST)); + keyCharacteristics.getEnums(KeymasterDefs.KM_TAG_DIGEST)); blockModes = KeyProperties.BlockMode.allFromKeymaster( - keyCharacteristics.getInts(KeymasterDefs.KM_TAG_BLOCK_MODE)); + keyCharacteristics.getEnums(KeymasterDefs.KM_TAG_BLOCK_MODE)); keymasterSwEnforcedUserAuthenticators = - keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 0); + keyCharacteristics.swEnforced.getEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 0); keymasterHwEnforcedUserAuthenticators = - keyCharacteristics.hwEnforced.getInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 0); + keyCharacteristics.hwEnforced.getEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 0); } catch (IllegalArgumentException e) { throw new ProviderException("Unsupported key characteristic", e); } @@ -153,8 +156,12 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { keyCharacteristics.getDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME); boolean userAuthenticationRequired = !keyCharacteristics.getBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); - int userAuthenticationValidityDurationSeconds = - keyCharacteristics.getInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, -1); + long userAuthenticationValidityDurationSeconds = + keyCharacteristics.getUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, -1); + if (userAuthenticationValidityDurationSeconds > Integer.MAX_VALUE) { + throw new ProviderException("User authentication timeout validity too long: " + + userAuthenticationValidityDurationSeconds + " seconds"); + } boolean userAuthenticationRequirementEnforcedBySecureHardware = (userAuthenticationRequired) && (keymasterHwEnforcedUserAuthenticators != 0) && (keymasterSwEnforcedUserAuthenticators == 0); @@ -172,7 +179,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { digests, blockModes, userAuthenticationRequired, - userAuthenticationValidityDurationSeconds, + (int) userAuthenticationValidityDurationSeconds, userAuthenticationRequirementEnforcedBySecureHardware); } diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java index 084e30e..de483f4 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java @@ -398,18 +398,18 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { importArgs = new KeymasterArguments(); try { - importArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, + importArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeyProperties.KeyAlgorithm.toKeymasterAsymmetricKeyAlgorithm( key.getAlgorithm())); @KeyProperties.PurposeEnum int purposes = spec.getPurposes(); - importArgs.addInts(KeymasterDefs.KM_TAG_PURPOSE, + importArgs.addEnums(KeymasterDefs.KM_TAG_PURPOSE, KeyProperties.Purpose.allToKeymaster(purposes)); if (spec.isDigestsSpecified()) { - importArgs.addInts(KeymasterDefs.KM_TAG_DIGEST, + importArgs.addEnums(KeymasterDefs.KM_TAG_DIGEST, KeyProperties.Digest.allToKeymaster(spec.getDigests())); } - importArgs.addInts(KeymasterDefs.KM_TAG_BLOCK_MODE, + importArgs.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, KeyProperties.BlockMode.allToKeymaster(spec.getBlockModes())); int[] keymasterEncryptionPaddings = KeyProperties.EncryptionPadding.allToKeymaster( @@ -429,8 +429,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { } } } - importArgs.addInts(KeymasterDefs.KM_TAG_PADDING, keymasterEncryptionPaddings); - importArgs.addInts(KeymasterDefs.KM_TAG_PADDING, + importArgs.addEnums(KeymasterDefs.KM_TAG_PADDING, keymasterEncryptionPaddings); + importArgs.addEnums(KeymasterDefs.KM_TAG_PADDING, KeyProperties.SignaturePadding.allToKeymaster(spec.getSignaturePaddings())); KeymasterUtils.addUserAuthArgs(importArgs, spec.isUserAuthenticationRequired(), @@ -567,7 +567,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { } KeymasterArguments args = new KeymasterArguments(); - args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, keymasterAlgorithm); + args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, keymasterAlgorithm); int[] keymasterDigests; if (params.isDigestsSpecified()) { @@ -606,7 +606,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { keymasterDigests = EmptyArray.INT; } } - args.addInts(KeymasterDefs.KM_TAG_DIGEST, keymasterDigests); + args.addEnums(KeymasterDefs.KM_TAG_DIGEST, keymasterDigests); if (keymasterAlgorithm == KeymasterDefs.KM_ALGORITHM_HMAC) { if (keymasterDigests.length == 0) { throw new KeyStoreException("At least one digest algorithm must be specified" @@ -630,14 +630,14 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { } } } - args.addInts(KeymasterDefs.KM_TAG_PURPOSE, KeyProperties.Purpose.allToKeymaster(purposes)); - args.addInts(KeymasterDefs.KM_TAG_BLOCK_MODE, keymasterBlockModes); + args.addEnums(KeymasterDefs.KM_TAG_PURPOSE, KeyProperties.Purpose.allToKeymaster(purposes)); + args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, keymasterBlockModes); if (params.getSignaturePaddings().length > 0) { throw new KeyStoreException("Signature paddings not supported for symmetric keys"); } int[] keymasterPaddings = KeyProperties.EncryptionPadding.allToKeymaster( params.getEncryptionPaddings()); - args.addInts(KeymasterDefs.KM_TAG_PADDING, keymasterPaddings); + args.addEnums(KeymasterDefs.KM_TAG_PADDING, keymasterPaddings); KeymasterUtils.addUserAuthArgs(args, params.isUserAuthenticationRequired(), params.getUserAuthenticationValidityDurationSeconds()); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreUnauthenticatedAESCipherSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreUnauthenticatedAESCipherSpi.java index 6c53c6a..486519c 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreUnauthenticatedAESCipherSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreUnauthenticatedAESCipherSpi.java @@ -240,11 +240,11 @@ class AndroidKeyStoreUnauthenticatedAESCipherSpi extends AndroidKeyStoreCipherSp + " practices."); } - keymasterArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockMode); - keymasterArgs.addInt(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockMode); + keymasterArgs.addEnum(KeymasterDefs.KM_TAG_PADDING, mKeymasterPadding); if ((mIvRequired) && (mIv != null)) { - keymasterArgs.addBlob(KeymasterDefs.KM_TAG_NONCE, mIv); + keymasterArgs.addBytes(KeymasterDefs.KM_TAG_NONCE, mIv); } } @@ -254,7 +254,7 @@ class AndroidKeyStoreUnauthenticatedAESCipherSpi extends AndroidKeyStoreCipherSp mIvHasBeenUsed = true; // NOTE: Keymaster doesn't always return an IV, even if it's used. - byte[] returnedIv = keymasterArgs.getBlob(KeymasterDefs.KM_TAG_NONCE, null); + byte[] returnedIv = keymasterArgs.getBytes(KeymasterDefs.KM_TAG_NONCE, null); if ((returnedIv != null) && (returnedIv.length == 0)) { returnedIv = null; } diff --git a/keystore/java/android/security/keystore/KeymasterUtils.java b/keystore/java/android/security/keystore/KeymasterUtils.java index 4b37d90..0006601 100644 --- a/keystore/java/android/security/keystore/KeymasterUtils.java +++ b/keystore/java/android/security/keystore/KeymasterUtils.java @@ -110,8 +110,9 @@ public abstract class KeymasterUtils { "At least one fingerprint must be enrolled to create keys requiring user" + " authentication for every use"); } - args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, fingerprintOnlySid); - args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_FINGERPRINT); + args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, + KeymasterArguments.toUint64(fingerprintOnlySid)); + args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_FINGERPRINT); } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. @@ -120,10 +121,11 @@ public abstract class KeymasterUtils { throw new IllegalStateException("Secure lock screen must be enabled" + " to create keys requiring user authentication"); } - args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, rootSid); - args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, + args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, + KeymasterArguments.toUint64(rootSid)); + args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_PASSWORD | KeymasterDefs.HW_AUTH_FINGERPRINT); - args.addInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, + args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, userAuthenticationValidityDurationSeconds); } } |